Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFrontDistributionNoOutdatedSSL: Does not allow for s3 static hosting via cloudfront #1691

Open
cheruvian opened this issue May 13, 2024 · 1 comment
Open

CloudFrontDistributionNoOutdatedSSL: Does not allow for s3 static hosting via cloudfront #1691

cheruvian opened this issue May 13, 2024 · 1 comment
Labels
other This issue doesn't fit into the other categories

Comments

@cheruvian
Copy link

What is the problem?

When using a cloudfront to front a static s3 hosted website as an origin, cloudfront may only use http-only

HTTP Only – CloudFront uses only HTTP to access the origin. This is the default setting when the origin is an Amazon S3 static website hosting endpoint and cannot be changed.

This conflicts with the CloudFrontDistributionNoOutdatedSSL rule which marks it as non compliant

            if (originProtocolPolicy != OriginProtocolPolicy.HTTPS_ONLY) {
              return NagRuleCompliance.NON_COMPLIANT;
            }

Reproduction Steps

When using isWebsite = true, S3Origin uses a HttpOrigin (aka CustomOriginConfig) which triggers the rule validation

    const bucket = Bucket.fromBucketArn(this, `Bucket`, `arn:aws:s3:::fake-bucket`);
    (bucket as any).isWebsite = true;

    new Distribution(this, `Distribution`, {
      domainNames: [`fake-domain.com`],
      certificate: Certificate.fromCertificateArn(this, `Certificate`, `arn:aws:acm:us-east-1:12121321:certificate/1b3b1b3b-1b3b-1b3b-1b3b-1b3b1b3b1b3b`),
      minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
      sslSupportMethod: SSLMethod.SNI,
      logBucket: Bucket.fromBucketArn(this, `LogBucket`, `arn:aws:s3:::fake-log-bucket`),
      logIncludesCookies: false,
      defaultBehavior: {
        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
        origin: new S3Origin(bucket),
      },
    })

What did you expect to happen?

It should exclude the S3 Origin as the security of the connections is ensured by AWS.

What actually happened?

[Error at /ReproStack/Distribution/Resource] AwsSolutions-CFR5: The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin.

cdk-nag version

2.28.114

Language

Typescript

Other information

No response
@cheruvian cheruvian added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels May 13, 2024
@dontirun
Copy link
Collaborator

dontirun commented May 14, 2024
edited

I don't think the rule should ignore this. While AWS guarantees the security of the connection between CloudFront and S3, this does not apply to the security of the connection between the viewer and CloudFront.

You can use https with S3 buckets if you use a custom certificate/DNS. That being said that's still not compliant with the rule because while you can use "redirect http to https" you can't use the "https only".

@dontirun dontirun added other This issue doesn't fit into the other categories and removed bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
other This issue doesn't fit into the other categories
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cheruvian @dontirun